Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

CarrierIQ Tries To Silence Security Researcher

Soulskill posted more than 2 years ago | from the good-luck-with-that dept.

Security 216

phaedrus5001 sends this quote from a story at Wired: "A data-logging software company is seeking to squash an Android developer's critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company's training manuals from his website. Though the software is installed on millions of Android, Blackberry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user's phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent." The EFF is hosting PDFs of CarrierIQ's C&D letter, as well as their response on Eckhart's behalf.

cancel ×

216 comments

Sorry! There are no comments related to the filter you selected.

He should remove it. (5, Funny)

Pastor Jake (2510522) | more than 2 years ago | (#38143376)

My Brothers and Sisters in Christ,

This man is working to remove software which can be used to identify pedophiles, rapists, and other ungodly characters which are plaguing this nation. He should be brought to justice for undermining our government's attempt to keep our land free and Christian. I propose that we take this software a step further, and have it display a random Bible verse on bootup of the device, in order to spread Christ's message to the unsaved.

God bless,
Jake

Re:He should remove it. (4, Insightful)

masternerdguy (2468142) | more than 2 years ago | (#38143410)

You can't sacrifice privacy for security, it doesn't work that way.

Re:He should remove it. (2)

Synerg1y (2169962) | more than 2 years ago | (#38143450)

Yep I keep saying this, if you don't know wtf, then don't use your phone in a manner that compromises self. However, I'm unclear how this is legal, is it part of the smartphone UELA? Wasn't there something that required software vendors on smart phones to obtain user consent on what features are being transmitted since the iphone fiasco? If not there damn well should be, no idea who these fags are besides a now bulls eyed hack target with probably a newb admin.

My advice for Trevor: post your shit on tpb (or similar torrent site) and find some seeders, that way a take down notice doesn't do shit.

Re:He should remove it. (4, Funny)

LordLimecat (1103839) | more than 2 years ago | (#38144212)

Here thar be trolls.

Dont feed them.

Re:He should remove it. (4, Insightful)

wierd_w (1375923) | more than 2 years ago | (#38143492)

Ahh, but therein lies the rub 'brother':

As many christian fundementalists are publicly on record for asserting, the very people that would have access to this technology's data logs are also "secular, heathen, sinners" who "hate god", and "actively disparage and discriminate against true believers."

This tool would enable deadly and repressive government officials to prevent the spread of christianity though this technological outlet, and would function just as sensationally as a tool of religious and ideological censorship as it would as a powerful tool to identify and punish criminals.

You cannot have your cake and eat it too, 'brother'.

(My troll-o-meter is pegging a 10, but it could be a poes law false positive. If you be trollin, research your religious fundies more dutifully next time. If you were simply naive about the serious implications of software like this, and honestly felt that a "think of the children!" Argument was in any way grounds for outright debasement of fundemental liberties that everyone enjoys and society is demonstrably better for, my advice would be to always think about what would happen if an evil person had control over that part of the process. The price of freedom is eternal vigilence, and those that trade freedom for the illusion of safety deserve neither.)

Re:He should remove it. (0)

marcushnk (90744) | more than 2 years ago | (#38143512)

who the hell are you talking to?

ahh the imaginary friends again...

Re:He should remove it. (0)

ColdWetDog (752185) | more than 2 years ago | (#38143662)

who the hell are you talking to?

ahh the imaginary friends again...

-1 is NOT an imaginary number.

Re:He should remove it. (4, Funny)

Anarchduke (1551707) | more than 2 years ago | (#38144310)

but its square root is

Re:He should remove it. (2)

TheGratefulNet (143330) | more than 2 years ago | (#38144460)

my maffs must be wrong.

I thought the sqrt(god) = 1/ham_sandwich (for small values of god).

no?

Re:He should remove it. (1)

Aryden (1872756) | more than 2 years ago | (#38145280)

can you hold a -1 in your hand?

Re:He should remove it. (0)

Anonymous Coward | more than 2 years ago | (#38145808)

can you hold a -1 in your hand?

I'd prefer to keep holding my 10 1/2, thanks (my webcam audience seems to like it).

Re:He should remove it. (5, Insightful)

Ethanol-fueled (1125189) | more than 2 years ago | (#38143564)

While you are just trolling, the ultimate goal of the "total information awareness" program is in fact to quantify data used to predict events before they happen. This especially applies to the concept of "pre-crime," where your data would be fed through an algorithm. If your actions are undesireable to the establishment, then you will be followed and arrested with the first excuse they can muster.

And a fact most appropriate to your user ID - Religious lobbying in America has increased 500%. Among the most important issues of religious lobbying groups are:

- The relationship between church and state (pissing on that thing we call the constitution)
- Civil rights and liberties for religious and other minorities(like the gays?)
- Bioethics and life issues, including abortion, capital punishment and end-of-life issues(force people to have kids they don't want and prevent people in constant paint to pass peacefully, generally impede scientific progress)
- Family/marriage issues, including definition of marriage, domestic violence and fatherhood initiatives(great job in the bible belt, with its higher rates of divorce)

So yes, this is all related, because Christians are in charge of America, and Christians believe that everybody else should be subject to the same overbearing parenting that Christians were subject to as children. Big brother is their way of foisting their so-called "morality" upon everybody else, willing or unwilling.

Re:He should remove it. (1, Insightful)

LordLimecat (1103839) | more than 2 years ago | (#38144298)

While you are just trolling, the ultimate goal of the "total information awareness" program is in fact to quantify data used to predict events before they happen. This especially applies to the concept of "pre-crime," where your data would be fed through an algorithm. If your actions are undesireable to the establishment, then you will be followed and arrested with the first excuse they can muster.

Baloney. What would a private company with no visible gov't affiliations care about any of that? Its about marketing, plain and simple-- theres no conspiracy or Minority Report scenario needed to explain this, and Occam's Razor points straight to what they claim to be-- analytics and marketing.

And a fact most appropriate to your user ID - Religious lobbying in America has increased 500%. Among the most important issues of religious lobbying groups are:

Trying to link this to religious groups is such a reach its not even funny. Can you point to a single bit of lobbying that went into this CarrierIQ situation? I thought not.

You completely fail to grasp that "separation of church and state" has NOTHING to do with what your values are and how they are formed. "A pastor voting in line with his religious views" isnt a violation of separation of church and state, its protected speech under the first amendment and in line with everything the constitution stands for.

So yes, this is all related, because Christians are in charge of America, and Christians believe that everybody else should be subject to the same overbearing parenting that Christians were subject to as children.

That calls for a big bold [CITATION NEEDED]. All the religious christians I know-- including myself-- regard a big overbearing government as a pretty bad thing, and understand that big groups of powerful authority figures are rarely a pure win. It MIGHT occur to you that pretty much everywhere protestantism took hold eventually became a democracy, and our founding fathers were at LEAST theist with some of them being more overtly christian.

Im actually more worried about secular states that think they can achieve a utopia here and now, because those are the places that tend to turn into nightmarish totalitarian states.

Re:He should remove it. (3, Interesting)

Qzukk (229616) | more than 2 years ago | (#38144344)

What would a private company with no visible gov't affiliations care about any of that?

Why don't you ask Qwest's CEO, I think he gets out of jail sometime this decade for not bending over for Bush's warrantless wiretaps. Oh, sorry, I meant violating his job as CEO to make every penny possible by getting his government contracts cancelled for not bending over for Bush's warrantless wiretaps. Hmm, it doesn't sound much better that way either. How do you spin it so you can claim that these telcom companies have no visible government affiliations?

Re:He should remove it. (2, Insightful)

Galactic Dominator (944134) | more than 2 years ago | (#38144578)

All the religious christians I know-- including myself-- regard a big overbearing government as a pretty bad thing, and understand that big groups of powerful authority figures are rarely a pure win.

Well, in case it's time for you renounce your totalitarianism celestial North Korea who convicts people of thought crime.

http://www.youtube.com/watch?feature=player_detailpage&v=8ORn-wmhliU#t=164s [youtube.com]

Re:He should remove it. (0)

LordLimecat (1103839) | more than 2 years ago | (#38144936)

Im kind of suprised you are proud of that segment, its about the worst argument or complaint against God Ive ever heard. He follows it up with ridicule and strawmen-- what a thoughtful and pleasant man.

Re:He should remove it. (0)

Galactic Dominator (944134) | more than 2 years ago | (#38145106)

what a thoughtful and pleasant man

If you knew the man's good works which include an enormous amount helping the victimized people of the world, I wonder if you would be so quick to disparage him. I suspect the answer would still be yes with the cherry picked version of Christianity you present.

As for the rest of your statement and noting it's lack of specifics, an ungenerous person might assume that is your standard response to views you disagree with. I don't feel particularly generous reading your comment.

Re:He should remove it. (3, Insightful)

Runaway1956 (1322357) | more than 2 years ago | (#38143820)

Well, Jake, your name seems to imply that you are a Christian. The Imam will be happy to get this CarrierIQ data, so that he can behead your infidel ass.

Not to mention, "Pastor" seems to imply that you're a Protestant. Just think, if the Pope had this sort of data way back, all you Protestant apostates could have been burned at the stake, along with that wench, Joan of Arc.

And, the atheist movement will also welcome all this information. This will make it easier to find you, for deportation to a reeducation camp.

In short - you're an idiot.

Re:He should remove it. (3, Informative)

LordLimecat (1103839) | more than 2 years ago | (#38144306)

His high UID combined with a clearly trollish statement means he might not be the idiot here. Yall are postin in a troll thread.

Re:He should remove it. (5, Funny)

shutdown -p now (807394) | more than 2 years ago | (#38144012)

I propose that we take this software a step further, and have it display a random Bible verse on bootup of the device

It's a wonderful idea, brother, but I would like to clarify something important first: KJV or NIV?

Re:He should remove it. (0)

Anonymous Coward | more than 2 years ago | (#38144654)

the original Hebrew version, of course.

Re:He should remove it. (1)

RyuuzakiTetsuya (195424) | more than 2 years ago | (#38144536)

*yawn* Boring troll is boring.

What's your thoughts on chiropractic? or HOSTS files?

Carrier IQ's PA on the matter (5, Informative)

RetailResTech (2499152) | more than 2 years ago | (#38143488)

Looks like CarrierIQ is trying to save face in their PA http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf [carrieriq.com] I wonder, I'm not entering a contract with CarrierIQ, are they collecting this data to their own servers then sending the data to the carriers or are the carriers collecting the data?

Re:Carrier IQ's PA on the matter (1)

Anonymous Coward | more than 2 years ago | (#38143578)

The only way someone tracking my personal information to give me a better 'user experience' really would seem to impress me would be to know exactly how I like a BJ.

I *GET* the information I *PURSUE*. I don't need anyone, let alone businesses, or corporations, trying to offer me things. That's for the passive... As an active and informed adult, I get what I look for.

Re:Carrier IQ's PA on the matter (1)

Runaway1956 (1322357) | more than 2 years ago | (#38143876)

That is also my attitude. I want something - let's say a new car. I research cars, of the type that I want. Which one has the most power? I mean, real horsepower, not "which one has the most hyped up powerful phrase in the television commercials". That information is available, with a quick google search. And, if I want a new shirt, I research the shirts. (alright, I don't really - I have spent a lifetime researching work shirts, and I just go buy a Carhartt shirt) Ditto for everything else I need or want. Google search finds whatever I need to know. Armed with FACTS, I then go find examples of the product to put my fingers on, before making a final decision.

Re:Carrier IQ's PA on the matter (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38144086)

With the facts provided by your google research, with your search results tailor by google based on their analsys of your browsing behaviour...

Re:Carrier IQ's PA on the matter (1)

Aryden (1872756) | more than 2 years ago | (#38145342)

it provides tailored results based on information that you willingly provide. Pretty damn big difference compared to a software that no one told you was collecting your data and sharing it.

CarierIQ Protocol? (5, Funny)

Guppy (12314) | more than 2 years ago | (#38143526)

the software secretly chronicles a user's phone experience, from its apps, battery life and texts.

Let's hope someone succeeds in reverse engineering and implementing a copy of the CarrierIQ protocol, as I wish it to be known that my favorite App is the "Nude Crocheting Pocket Guide", and my current battery life is "Purple".

I will also be happy to forward my texts (which I shall not utter here) to the phone company as well, as soon as an international SMS character set for the language of Morder is approved.

Re:CarierIQ Protocol? (4, Funny)

LordLimecat (1103839) | more than 2 years ago | (#38144422)

Knowing the protocol isnt enough; one does not simply text into Mordor.

Re:CarierIQ Protocol? (5, Funny)

BenJCarter (902199) | more than 2 years ago | (#38144988)

Three tablets for the Executive-kings under the sky,
Seven smart phones for the Dwarf-lords in their halls of silicone,
Nine voice phones for Mortal Men still doomed to work,
One App for the Dark Lord on his dark throne
In the Land of Mordor where the Servers are built.
One App to rule them all, One App to find them,
One App to phreak them all and through the internet pwn them
In the Land of Mordor where the hackers lie.

Re:CarierIQ Protocol? (1)

Aryden (1872756) | more than 2 years ago | (#38145352)

Romania? China?

This is why I do not use Android (0, Troll)

bigredradio (631970) | more than 2 years ago | (#38143530)

Thank goodness I use an iPhone. Apple would never track me [readwriteweb.com] ....urr...crap! Nevermind.

Re:This is why I do not use Android (3, Insightful)

RyuuzakiTetsuya (195424) | more than 2 years ago | (#38144568)

yes, because completely anonymous crowd sourced location data is just like having the carrier snoop on your every text and call.

Tinker Tailor (0)

Anonymous Coward | more than 2 years ago | (#38143552)

Soldier Android

Why blame CIQ? (3, Insightful)

artor3 (1344997) | more than 2 years ago | (#38143568)

Their software serves a legitimate purpose. It reports usage metrics so that phone makers can make phones that better serve people's needs. This is a Good Thing.

The problem is that you should be allowed to opt out. Some people don't like participating in these programs, and that should be their choice. By default, CIQ's software lets the user opt out. The problem here is that some companies are blocking that option or making it extremely difficult. They are the ones who should be criticized here.

Re:Why blame CIQ? (5, Informative)

saihung (19097) | more than 2 years ago | (#38143576)

Did you read any of the linked documents? The criticism against CarrierIQ is not necessarily about what they're making, but that they are trying to shut this man up for telling the truth about their products under the guise of copyright claims. That deserves criticism, and lots of it.

Re:Why blame CIQ? (0)

artor3 (1344997) | more than 2 years ago | (#38143656)

Sure, but that's just their (improper) reaction to the initial wave of criticism. This guy decided to beat up on them for no good reason, and they fought back using dirty and immoral means. Neither side comes out smelling like roses here, and in the meantime we're all forgetting about the groups that are actually responsible for the whole thing.

Re:Why blame CIQ? (1)

Anonymous Coward | more than 2 years ago | (#38143690)

So what was he supposed to do? Take down his research? Pretend like it never happened? I'm serious, what would you have him do?

Re:Why blame CIQ? (1)

artor3 (1344997) | more than 2 years ago | (#38143838)

At the start? Ease back on the rhetoric (calling it a rootkit, for example), and assign the blame where it's due. Odds are CIQ wouldn't have even cared if he hadn't set out to attack them.

Now? I don't know. The C&D letter is way too demanding to simply submit to. He picked a fight and he's got one. It's a shame he picked the wrong target.

Re:Why blame CIQ? (3, Insightful)

Zero__Kelvin (151819) | more than 2 years ago | (#38144224)

Sounds like he picked the right target to me.

Re:Why blame CIQ? (4, Insightful)

pla (258480) | more than 2 years ago | (#38144278)

Ease back on the rhetoric (calling it a rootkit, for example), and assign the blame where it's due.

So what would you call deliberately hidden software running as root, without your knowledge or consent?

Spyware by any other name would smell as bad.


It's a shame he picked the wrong target.

At some point, you have to hold the guys "just doing their job" accountable for their actions. Yes, their customers (the cell carriers) bear the brunt of the bad karma here, but no one sells thumb-screws to 4th-world dictators "for novelty purposes only".

Re:Why blame CIQ? (3)

asdfghjklqwertyuiop (649296) | more than 2 years ago | (#38143790)

Beat up on them for no good reason? They're a spyware manufacturer. Sounds like a perfectly valid reason to me.

Re:Why blame CIQ? (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38143824)

Sure, but that's just their (improper) reaction to the initial wave of criticism. This guy decided to beat up on them for no good reason,

You sound like a real tool right now. The guy is a security researcher and he pointed the finger at some nefarious software. What was he supposed to do? Just go, "Aww, shucks, I know y'all didn't really mean to do all this stuff so I'm a let this one slide.". I mean, WTF man? I you scared their feelings are going to get hurt or something?

Re:Why blame CIQ? (5, Interesting)

Nursie (632944) | more than 2 years ago | (#38143916)

Wait, he shines the light of day on a key logger, data recorder and total invasion of privacy, customised for carriers so there are no opt-outs, and he's beating up on them for no reason?

Jesus....

Re:Why blame CIQ? (1)

b4dc0d3r (1268512) | more than 2 years ago | (#38145204)

I read the original story, and kinda forgot about it. But after this, my carrier is getting a call. And if they don't tell me how to turn it off, they're getting another.

And since they know who I'm calling, and can kinda predict these things, I'm going to keep calling. Predict this, cos it's coming. There is no excuse for censorship when it's running on MY GODDAM PHONE. It's mine, and if I don't know what it's doing, it's going straight up your ass. Did you predict that? Hope you brought lube. Unless you prefer a phone up your ass without. Predict it, live it, love it, take it.

Re:Why blame CIQ? (5, Insightful)

miserere nobis (1332335) | more than 2 years ago | (#38143816)

This is like saying that a person who follows and videotapes everything you do, from your bedroom moments to your PIN-entering moments, serves a legitimate purpose by being able to report usage metrics on how well your shoes meet your needs in getting you from place to place, and that the existence of the Nike Stalker Program therefore, because it can help bring about better footwear, is a Good Thing. Highly misplaced acceptance. While I would be happy to see my shoe companies take an active interest in how comfortable or uncomfortable I am while wearing their products for certain types of activities, subjecting me to complete surveillance in order to carry this out is inappropriate, morally wrong, personally unacceptable, and falls very much into the Bad Thing category.

Re:Why blame CIQ? (1)

Anonymous Coward | more than 2 years ago | (#38145706)

Except in this case its more like blaming the camera creator for making a device which can record you, instead of Nike for using the camera to record you.

Or in other words, this company makes a software (with opt out options) which carriers purchased, and either disable or obscure the ability to opt-out.

Re:Why blame CIQ? (2)

the simurgh (1327825) | more than 2 years ago | (#38143830)

no no no your wrong. it should be these people go to prison unless they prove we opt in. the fact is people say we should have the option of "opting out". THE TRUTH IS WE SHOULD BE KEPT OUT UNLESS WE OPT IN.

cost (4, Insightful)

currently_awake (1248758) | more than 2 years ago | (#38143936)

They are inflicting a financial cost (bandwidth charge) upon you without consent. It's like buying a car and having them keep a set of keys so they can take it for joyrides (using your gas).

Re:Why blame CIQ? (3, Insightful)

jamesh (87723) | more than 2 years ago | (#38144126)

Their software serves a legitimate purpose. It reports usage metrics so that phone makers can make phones that better serve people's needs. This is a Good Thing.

The problem is that you should be allowed to opt out. Some people don't like participating in these programs, and that should be their choice. By default, CIQ's software lets the user opt out. The problem here is that some companies are blocking that option or making it extremely difficult. They are the ones who should be criticized here.

The other problem is that you can't opt-out of something if you don't know it's there...

Re:Why blame CIQ? (5, Insightful)

Zero__Kelvin (151819) | more than 2 years ago | (#38144214)

"The problem is that you should be allowed to opt out. "

Actually, it should be opt-in.

Re:Why blame CIQ? (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38144240)

I work for a handset OEM. The requirement to install CIQ on a handset is a mandatory requirement that has come in over the past year or two - the last phone we did just missed having to have it implemented. It is the carriers who get the logging information and we have to do the porting. I agree that users should absolutely have the ability to opt-out of this kind of snooping, but so far there's no requirement for such a setting. I *do* expect to see it very soon though if the carriers know what's good for them. Pressure to drop preloaded craplets worked with Sprint and to a certain extent AT&T, so I expect those to be first with an amended set of requirements, if indeed they don't drop CIQ like a stone for all the bad press they've caused.

Re:Why blame CIQ? (0)

Anonymous Coward | more than 2 years ago | (#38145996)

Let me guess, you work on one of these immoral products that are solely used for nefarious purposes but try to whitewash your actions because "you only sell a tool"?

Note: it's CarrierIQ not CarrierHighIQ. (1, Funny)

Kaz Kylheku (1484) | more than 2 years ago | (#38143570)

:)

Most importantly... (1)

Tasha26 (1613349) | more than 2 years ago | (#38143584)

how do i remove that spyware?

Re:Most importantly... (5, Informative)

TheyTookOurJobs (1930780) | more than 2 years ago | (#38143618)

Root your phone and load a custom rom, that will take care of a few problems. CIQ, Bloatware, and you can freely tether your internet.

Re:Most importantly... (1)

Bohiti (315707) | more than 2 years ago | (#38144300)

To be real specific, it would depend on the custom ROM. All of the Cyanogenmod builds should be free of CIQ, but if the ROM is based off stock, it all depends on how savvy the ROM-cooker is at removing CIQ, or whether it's even been updated since this information began spreading. ROMs based on stock builds from 6 months ago will still have CIQ.

Re:Most importantly... (0)

Anonymous Coward | more than 2 years ago | (#38145540)

RIght. Cyanogenmod. That'll be safe:

Ever see an app called CyanogenMod Statistics?

Ever distribute a ROM with a key that anybody could use to put software on the phone to run as root:

http://hardware.slashdot.org/story/11/06/16/2127255/new-android-malware-attacks-custom-roms

Ha! (5, Funny)

Anonymous Coward | more than 2 years ago | (#38143588)

Let's see them track me on my landline! They'll never know where I am!

Re:Ha! (0)

Anonymous Coward | more than 2 years ago | (#38145564)

[knock][knock][knock]

Sir, we need to talk to you about something. Please resist.

Streisand effect? (5, Informative)

sdavid (556770) | more than 2 years ago | (#38143620)

They'd better watch out for the Streisand Effect [wikipedia.org] .

If they can see how crappy my battery life is (2)

sandytaru (1158959) | more than 2 years ago | (#38143630)

... then maybe I have hope of getting a fix, or at the very least, a more efficient battery on my next phone.

does this really matter? (5, Insightful)

miserere nobis (1332335) | more than 2 years ago | (#38143634)

I don't know how even on Slashdot there are some people who tend to argue "what do I care, if I'm not doing anything bad with my phone?" Let's get rid of that before it gets started here. I have a Samsung, Android, Sprint phone. That means I apparently have a logger installed that can track every key I press, every message I send, every web site I visit. That means that Sprint, Sprint employees, and whosoever Sprint or its employees should share this information with, whether that be government, advertisers, companies or individuals with malicious or invasive intent, whether this is shared on purpose or by accident or security breach, has access to such things as:

  • * All my bank accounts
  • * My email accounts
  • * All my associates, how often I call them, and what I say to them via text message
  • * The password to my KeePass database and every password stored therein
  • Phones are not just text messaging and dialing devices anymore. A keylogger on my phone is equally offensive as a keylogger on my home PC, and has the potential for just as great a compromise of my life's privacy and security. I have no control over the security with which Sprint or anyone else transmits or stores my personal information, and even more importantly, they have no right to have it in the first place. Besides the fact that the FBI has a well-known history of tracking the lives of many private citizens with politically motivated intent, I certainly do not care for the idea of private corporations and whoever works for them having all of my passwords and knowing where all my accounts are. There is no reasonable argument for why I should think this is okay. I do not have to be doing anything illegal for me to reasonably object to my mobile phone company having, or storing (with who knows what security), a back door into every single piece of my life. Somebody whose involvement in my life is supposed to be merely providing me with telephone service does not need and has no right to expect the master key to my whole digital, financial, social, and business life.

    I will be contacting Sprint and asking them for a means to permanently remove this software from my phone. If they are unwilling (which they probably will be, but they need to actively hear a complaint from me and everyone else so they understand the offensiveness of their actions), I will have to go down the "root it and fix it myself" path. I hope the rest of you with affected phones will do the same.

Re:does this really matter? (2)

ad454 (325846) | more than 2 years ago | (#38143828)

A removal tool is definitely needed! In fact, Android needs to have a better way to prevent background data on Apps when they are not in use.

Maybe I should just root my Samsung Nexus S 4G and only use ROM's from non-commerical sources, such as from xda-developers.

Re:does this really matter? (0)

Anonymous Coward | more than 2 years ago | (#38144774)

Well you enjoy your roms based on stock leaks that include CIQ. Hope cyanogen makes a version for your phone.

Re:does this really matter? (0)

Anonymous Coward | more than 2 years ago | (#38143932)

Thank you for explaining why open is not always good.

Re:does this really matter? (1)

ThePeices (635180) | more than 2 years ago | (#38144264)

Sorry to burst your bubble, but he did not explain why open is not always good.

You made an incorrect assumption.

Re:does this really matter? (2)

TheGratefulNet (143330) | more than 2 years ago | (#38144056)

my work-around: I don't have carrier-paid data plans and I have 'texting' (god, I really hate that word, I really do) disabled as well.

my phone does wifi when I'm at home or at trusted places. other than that, its a cellphone (remember those?) and its there in case I need to make or take calls. then again, I'm in airplane mode at all times unless I'm actually expecting a call.

finally, the phone is bought unlocked (nexus one) and has no ties whatsoever to any carrier. with a pay-as-you-go plan, there's no chance of funnybusiness and I refuse to get a data plan for quite a lot of reasons, privacy being the paramount one.

I'm convinced that its simply not in my best interest to buy a phone FROM a carrier or even one associated with a carrier. I'll buy my own phone, thank you. if you can afford to USE a phone, you should be able to BUY the farking thing! the scam of getting a subsidized one is really screwing over a lot of people (contracts, spying, etc). but again, you chose to subsidize it. maybe next time you'll realize there ain't no free lunch.

Re:does this really matter? (0)

Anonymous Coward | more than 2 years ago | (#38144166)

just because you have no carrier data plan doesnt mean that it isnt sending data to the carrier. if the carrier is willing to bear the cost of the data, no reason that they cannot transmit data for their own purposes.

Re:does this really matter? (1)

TheGratefulNet (143330) | more than 2 years ago | (#38144296)

here's now I know: the phone was never 'programmed' by anyone but me (ie, no user/pass/host/access was entered).

surely, you must admit that if there's no login credentials, there's ZERO chance of WAN connections being made. there's not even a way to 'dial out' on data if you've never configured a data access UI page on your phone.

100% sure that no data gets out except for wifi.

Re:does this really matter? (1)

Aryden (1872756) | more than 2 years ago | (#38145440)

data can be and used to be, transmitted over your phone's standard connection. It doesn't need wifi to transmit data.

Re:does this really matter? (4, Interesting)

Anonymous Coward | more than 2 years ago | (#38144196)

On my work phone are items that are covered I part by. HIPPA +HITEC Act, PCI-DSS and more. Are these folks cOmplying with those laws? If they get breached I get to notify thousands of people who's data may be compromisd??

NothIng could go wrOng.....

Re:does this really matter? (0)

Anonymous Coward | more than 2 years ago | (#38144414)

On my work phone are items that are covered I part by. HIPPA +HITEC Act, PCI-DSS and more. Are these folks cOmplying with those laws? If they get breached I get to notify thousands of people who's data may be compromisd??

Well, then you should get a phone from a company that takes security seriously: blackberry. Certified & audited by NATO, and many others:

http://us.blackberry.com/ataglance/security/certifications.jsp [blackberry.com]

Re:does this really matter? (2)

Aryden (1872756) | more than 2 years ago | (#38145456)

hilarious if the carriers and ciq got hit with hippa compliance fines. What is it, $100,000 per incident now?

Re:does this really matter? (0)

Anonymous Coward | more than 2 years ago | (#38144336)

As I understand the article this only tracks:

key presses on the dialing pad. So they can see what phone number you called, but not what you type in general.
When a text is received, not the content of the text

Re:does this really matter? (1)

SmurfButcher Bob (313810) | more than 2 years ago | (#38144462)

So in other words, they're intercepting my voicemail passwords and pins.

Hey, wasn't that in the news the other day?

Re:does this really matter? (5, Informative)

exomondo (1725132) | more than 2 years ago | (#38144640)

As I understand the article this only tracks:

key presses on the dialing pad. So they can see what phone number you called, but not what you type in general. When a text is received, not the content of the text

FTFA:
“We’re not looking at texts. We’re counting things. How many texts did you send and how many failed. That’s the level of metrics that are being gathered,” he said.

He answered “probably yes” when asked whether the company could read the text messages if it wanted.

Re:does this really matter? (2)

miserere nobis (1332335) | more than 2 years ago | (#38144766)

Nope. Read the original published findings. Can log basically every event on your phone, including every keypress.

Hackers site in scopes.. (1)

Anonymous Coward | more than 2 years ago | (#38143636)

If I wanted access root to all those phones I would, hypothetically (lol), target this shitty corp with everything I had..

Cease & Desist fail??? (5, Funny)

OzPeter (195038) | more than 2 years ago | (#38143670)

Is it me, or is the first point in the "Agreement" that CarrierIQ wants Eckhart to sign actually imply that CarrierIQ is performing the illegal copying???
 
 

I _______, agree to immediately
 
Cease and desist your unlawful copying of the Training Manuals

Goog eye! (1)

Zero__Kelvin (151819) | more than 2 years ago | (#38144302)

At first I couldn't see what you were saying, but then I hunted down the Cease and Desist and laughed my ass off. They obviously meant it to read: I _______ agree to cease and desist my illegal copying .... As written it asks him to pledge to (magically?) cease & desist CarrierIG's illegal copying. ROTFLMAO

With lawyers like that and the EFF on his side, I don't think he has much to worry about.

Supported TrevE (0)

Anonymous Coward | more than 2 years ago | (#38143758)

I use Samsung Nexus S and bought the app just to show my support. It one thing to gather user metrics but to do so without allowing an opt out option is just not right. You go TrevE!

Time to lobby carriers and manufacturers? (0)

Anonymous Coward | more than 2 years ago | (#38143856)

All the noise about the C&D letters, isn't this the time to start writing and phoning up carriers and manufacturers and ask them to disclose their use of this technology? People have a right to expect a certain amount of privacy when using the devices they purchase, and if CarrierIQ is embedded in the handsets sold to customers it's reasonable that this is disclosed (at a minimum), that customers can disable the function to protet their privacy (better) or preferably be able to purchase handsets which don't have this - or similar - technology embedded (ideal).

If people are unable to make an informed choice on the use of CarrierIQ on their handset, then there is a real potential that the manufacturers or carriers are libel for any consequences. At a minimum, you could potentially blame it for increased data costs, let alone the conseuqnces of data loss from it (credit card PIN numbers?).

And of course, once the malware writers become aware of it and leverage its capabilities for their own purposes, can the carriers and manufacturers avoid being responsible for contributing to this?

Does rooting and CM7 get rid of it? (5, Interesting)

EmagGeek (574360) | more than 2 years ago | (#38144020)

This is the only question I have right now. It's only a minor process to root my phone and install CyanogenMod on it.

Someone I was speaking with today was theorizing that there is actually a hypervisor layer running on smart phones, so even if you do root it, you're still not really getting raw access to the hardware - you're just rooting one VM, and this spyware runs in the hypervisor. I don't know how true this is, but I figure someone here knows.

Re:Does rooting and CM7 get rid of it? (5, Informative)

Anonymous Coward | more than 2 years ago | (#38144260)

Hypervisors aren't that stealthy, and can be made to reveal themselves quite easily once you perform a trapped instruction. Aside from the massive research cost in coming up with some kind of truly stealthy hypervisor, it would also significantly increase unit costs. So no, there's no hypervisor.

Re:Does rooting and CM7 get rid of it? (0)

Anonymous Coward | more than 2 years ago | (#38145622)

Hypervisors aren't your real concern. Even if you root and install Cyanogen you don't get a new set of radio firmware (look at the build process and see what "proprietary" files are extracted and stuck back in their rom.) Good luck guessing if that RIL or GPS or sensor driver houses anything that might slip info into the Google checkin system.

meeting in CarrierIQ's legal department (0)

Anonymous Coward | more than 2 years ago | (#38144134)

Bill> DAMMIT! The scary letter didnt work!
Jeff> What?! But the scary letter always works!
Bill> It would seem we are dealing with someone truly insidious, someone who knows their rights.
Bill> It's time for... plan B. We sue them into the ground!
Jeff> But we don't have a case.
Bill> DAMMIT, JEFF! How many times do I have to tell you? We're lawyers, ethics dont apply to us!

CarrierIQ training material (0)

Anonymous Coward | more than 2 years ago | (#38144348)

For the lazy (link taken from Eckhart's lawyer's response): the CarrierIQ training material, which Eckhard uploaded is still available here [multiupload.com] . Apparently this "copyrighted" material was freely available on their website, now they've pulled it.

California-Based (2)

Khyber (864651) | more than 2 years ago | (#38144476)

This makes them an easy target for a MASSIVE class-action suit. California has some strict consumer protection and privacy laws.

You might want to send something like this to them (5, Informative)

Tuxedo Jack (648130) | more than 2 years ago | (#38144642)

Ms. Woods,

I possess and use an HTC EVO 3D smartphone in line with my daily duties for my employer and various clients. This phone contains your employer's software (CarrierIQ for Sprint), which was bundled with the device and zero disclosure that it was installed or of its capabilities.

My device contains HIPPA-protected data (specifically relating to EMR software and the data contained therein) as well as PCI-DSS related information for my company's various clients. As such, it is protected by all manner of privacy laws, the breach of which results in severe penalties under United States law.

After reading Trevor Eckhart's research and doing some of my own, I am curious as to specifically what data your organization is capturing on Sprint's behalf, as well as to what extent they have customized their build of your software, and what its capabilities with their modifications are.

If the software, either in its original form or modified, does indeed capture data from a phone, including the ability to take screenshots or access the contents of e-mail accounts or SMS messages, this could potentially be in violation of all manner of privacy acts, depending on what data is being harvested and whether your client has the option to turn such collection on or not.

Please note that, among other techniques, I will be disassembling the binaries that I possess on my device and will be comparing it against the original ROM image that HTC has issued for this device in order to differentiate what, if any, changes are pushed out through over-the-air updates in order to determine the capabilities of the software as best I can.

To the best of my knowledge, I have never accepted any license agreements or restrictions regarding the software on my device, and as such, I am not bound to refrain from analyzing the software as I see fit, nor from having the results peer-reviewed and published once completed.

If your department is unable to answer my questions, please relay this to someone else inside your organization as you see fit.

I remain,

INSERT_NAME_HERE

Re:You might want to send something like this to t (5, Insightful)

maevius (518697) | more than 2 years ago | (#38145696)

Although I would like this to work, I'm familiar with PCI-DSS and I'm pretty sure that it's your fault for keeping this data on a cell phone which is not PCI-DSS compliant and not the carrier's/CarrierIQ's

an opportunity (0)

Anonymous Coward | more than 2 years ago | (#38144660)

seems like a business opportunity is available for people to download a solution that deals with spyware, malware, etc -- an out-going agent that inspects packets and if they don't pass the criteria -- counter measures are taken

What CarrierIQ & Carriers are doing.... (1)

tantaliz3 (1074234) | more than 2 years ago | (#38144710)

should be very, very illegal. Why isn't this being investigated?

Hmmmm.... Anon bait? (0)

Anonymous Coward | more than 2 years ago | (#38144838)

Sounds like a good target for Anon...

RTFP! (3, Informative)

Virtucon (127420) | more than 2 years ago | (#38144900)

Read the F*ing Find Print people! Your wireless carrier can do whatever they want with devices provisioned on their network. You therefore cannot be "surprised" when a third party comes along and offers them "services" to track customer usage patterns.

From AT&T Wireless Terms and Conditions [att.com]

You acknowledge that every business or personal decision, to some degree or another, represents an assumption of risk, and that neither AT&T nor its content and service providers or suppliers, in providing information, applications or other content or services, or access to information, applications, or other content underwrites, can underwrite, or assumes your risk in any manner whatsoever.

.... and ....

From 3.1 "My Device"

You are responsible for all phones and other devices containing a SIM assigned to your account ("Devices"). Your Device must be compatible with, and not interfere with, our Services and must comply with all applicable laws, rules, and regulations. We may periodically program your Device remotely with system settings for roaming service, to direct your Device to use network services most appropriate for your typical usage, and other features that cannot be changed manually.

Devices purchased for use on AT&T's system are designed for use exclusively on AT&T's system ("Equipment"). You agree that you won't make any modifications to the Equipment or programming to enable the Equipment to operate on any other system. AT&T may, at its sole and absolute discretion, modify the programming to enable the operation of the Equipment on other systems.

Re:RTFP! (4, Informative)

quixote9 (999874) | more than 2 years ago | (#38145140)

Actually, no. EULAs, TOS, whatever, which contravene actual laws, are invalid. You couldn't, for instance, bury a clause in a sale contract stipulating that by signing the buyer had agreed to be your slave. Or, you could, but it wouldn't hold up in court.

And that's the problem. Very few of us have the money, energy, or time to fight all the bullshit contracts we have to sign. So they haven't (yet) been thrown out of court. That doesn't change the fact that they're garbage.

And Things Like ... (-1)

Anonymous Coward | more than 2 years ago | (#38144990)

President Barak "the former Barry" Hussien Obama II claimd a God Given Right to kill amy and all to the last except him human beings he disagrees with.

Hay, Obama Shit Pile, why don't you kill the members of your Super"duper"committee? What good is their lives? Killing Kerry would certainly rid the world of Porn now wouldn't it "Barry"?

What's the matter "Barry"? Your pinis too short these days, hu?

Go pis off "Barry" and your "White"house too.

Almost dead.

)))

Consumer compensation (3, Interesting)

failedlogic (627314) | more than 2 years ago | (#38144998)

I was hoping someone can convince CarrierIQ to pay the millions of smartphone users that have the software installed on their phone.

If I were to find this software on my phone, might it generally be a violation of the Terms so I can opt out of the contract?

Running Cronos ROM avoids this giant PITA (1)

griffo (220478) | more than 2 years ago | (#38145980)

All hail the independent Android ROM developers, who avoid this PITA!

Thank you thank you thank you !!!!!!!!!!

For me, the Cronos ROM has extended the useful life of my Hero greatly!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>